Solved

Security Flaw: Forgot Password Mechanism Can Circumvent Verification

We have a private customer support portal, available only to "Verified" customers.

To make that work, Freshdesk recommended that we could simply turn off the Email Notification - User Activation Email and verify customers manually. 

This does prevent a person who's emailed in an issue from automatically getting an activation email. 

When a user visits the portal url they are asked to log in. As they've not been verified, they cannot. So far, so good.

But unfortunately, if they click on the "forgot your password?" link, they are prompted to enter their email address and are sent a link to set a new password. 

Once they do this they are verified.

Major fail.


For this mechanism to work:


The forgot password process should check first to see if the user is verified. 

If they are not verified:
- If the User Activation Email is enabled: it should be resent with a new timed link. 

- If the User Activation Email is not enabled: the user should be sent a message, configurable by a Freshdesk administrator, informing them of what will happen.


If they are verified:

- The password reset should be processed.


Thanks!


9 people have this problem

So, it sounds like the only way to prevent this security issue at this time is to disable the User Activation Email.  Is that correct?

Hi Debi, 

Unfortunately simply disabling the User Activation Email doesn't help, because we don't have control over the "forgot password" mechanism. 
  1. If a person sends an email to your configured support email address 
  2. And then can navigate to the portal login page where the "forgot password" link is
  3. Then they can force the system to send them a link to let them in 

You can limit their access to some degree by restricting access to some areas or content by company. Since a new customer cannot add themselves to a company, they'll only see what a customer with no company can see. In our case just their own tickets. 

But even this has its limitations. If you have added Domain Names for a company, its users who's email addresses match those domains will be added to the company automatically. In our case this isn't much of a problem. But I could see how it might be for others.

 Mark

Mark, 


Thanks for the reply and the explanation.  Are there plans in the future to tighten security and correct this flaw? 


Debbi

I sure hope so!

...and I'm sure we're not alone...

We have a feature on the roadmap to address this. We'll let you know once that feature is taken up. It should be sometime at the end of the year

Thanks for the update Abishek.

I may have found a workaround. Clicking the forgot my password link on the front page sends the requester the Requester Notifications>Password Reset Email message. While you can't disable the notification you can remove the password reset link from the message. This would impact your internal users from resetting their passwords with the link as well though. Any ideas on getting around that? 

We ran into this as well - would love a supported way to solve this issue!



We have the same issue here,  we have a private customer support portal too and a lot of customers can activate themself without our activation.

Please let us know, it's a big problem

Also a problem for us... we'd also need the ability to deactivate a contact and/or customer without deleting them.

 

This is a problem for us too. On a side note, if you disable the verification emails for requester, is there a rule that you guys have setup for agents to work tickets for manually sending the verification email?

We need a mode for activate new registration, this not  seems  properly secure.

Hello everyone, 


We completely agree with everyone on this topic and definitely have plans to address it on our roadmap. 


Unfortunately, I do not have an ETA as of now to promise upon. Sorry about that! Will surely keep you posted. 


Thanks,

Anna